Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » My browser is hijacked. (hijack this log inside)

View previous topic View next topic Go down  Message [Page 1 of 1]

noliesjustaiden


New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:04 PM, on 11/29/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\RegCure\RegCure.exe
C:\Windows\msg.exe
C:\Windows\System32\rundll32.exe
C:\Users\aiden\AppData\Local\Temp\drweb.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: C:\Windows\system32\s6lfsdxj.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\Windows\system32\s6lfsdxj.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [calc] rundll32.exe C:\Windows\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [calc] rundll32.exe C:\Windows\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\aiden\AppData\Local\Temp\drweb.exe
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Windows\TEMP\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Windows\TEMP\svchost.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\ProgramData\wefihipe\wefihipe.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\Windows\system32\s6lfsdxj.dll
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5180 bytes

DragonMaster Jay


Site Owner
Site Owner
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

noliesjustaiden


New Member
K I think I did this right..

ComboFix 09-11-29.03 - aiden 11/29/2009 22:07.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1879 [GMT -6:00]
Running from: c:\users\aiden\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Symantec AntiVirus *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Symantec AntiVirus *disabled* (Outdated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
The following files were disabled during the run:
c:\programdata\wefihipe\wefihipe.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-386116875-302951071-547392271-500
c:\$recycle.bin\S-1-5-21-76202368-2739934089-1894154702-500
c:\programdata\fumivuju\fumivuju.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\aiden\AppData\Local\Microsoft\Windows\Temporary Internet Files\TestBrowser.html
c:\users\aiden\AppData\Roaming\020000002b443fd5530C.manifest
c:\users\aiden\AppData\Roaming\020000002b443fd5530O.manifest
c:\users\aiden\AppData\Roaming\020000002b443fd5530P.manifest
c:\users\aiden\AppData\Roaming\020000002b443fd5530S.manifest
c:\users\aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
c:\users\aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk
c:\users\aiden\AppData\Roaming\oembios .exe
c:\users\aiden\AppData\Roaming\sysproc64
c:\users\aiden\AppData\Roaming\sysproc64\sysproc32.sys
c:\users\aiden\AppData\Roaming\sysproc64\sysproc86.sys
c:\users\aiden\ntuser.dll
c:\users\aiden\nview .exe
c:\users\aiden\winiogon .exe
c:\users\aiden\winlogon .exe
c:\windows\msd.exe
c:\windows\mse.exe
c:\windows\msf.exe
c:\windows\msg.exe
c:\windows\System32\11478.exe
c:\windows\system32\11942.exe
c:\windows\System32\14604.exe
c:\windows\System32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\System32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\System32\2995.exe
c:\windows\system32\32391.exe
c:\windows\System32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\System32\5436.exe
c:\windows\System32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\babopeni.dll
c:\windows\system32\birizofu.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\daqdrv.sys
c:\windows\system32\dezuzara.dll
c:\windows\system32\dojudemu.dll
c:\windows\system32\doneluvo.dll
c:\windows\system32\dosasowa.dll
c:\windows\system32\dubipoja.dll
c:\windows\system32\dumerulu.dll
c:\windows\system32\fivipute.dll
c:\windows\system32\fklbzu.dll
c:\windows\system32\fosajugu.dll
c:\windows\system32\futajido.dll
c:\windows\system32\godabufo.dll
c:\windows\system32\gokegubo.dll
c:\windows\system32\gonaludu.dll
c:\windows\system32\gowoyisa.dll
c:\windows\system32\gulitewe.dll
c:\windows\system32\haluvoda.dll
c:\windows\system32\hayajefe.dll
c:\windows\system32\hetepovo.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\hodisuto.dll
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\jamahesa.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\kasejido.dll
c:\windows\system32\KBL.LOG
c:\windows\system32\keyiguvu.dll
c:\windows\system32\kidohili.dll
c:\windows\system32\kiyihapa.dll
c:\windows\system32\lewadiye.dll
c:\windows\system32\lilomijo.dll
c:\windows\system32\lumonuta.dll
c:\windows\system32\menetima.dll
c:\windows\system32\mikosiba.dll
c:\windows\system32\motobusi.dll
c:\windows\system32\moyedebi.dll
c:\windows\system32\nofiyeze.dll
c:\windows\system32\nuvameje.dll
c:\windows\system32\nuzevuzi.dll
c:\windows\system32\parodupa.dll
c:\windows\system32\punagazi.dll
c:\windows\system32\puwareda.dll
c:\windows\system32\ratijipe.dll
c:\windows\system32\rigagine.dll
c:\windows\system32\rinelafe.dll
c:\windows\system32\rubafila.dll
c:\windows\system32\s6lfsdxj.dll
c:\windows\system32\sihivubo.dll
c:\windows\system32\simafubu.dll
c:\windows\system32\sinebewa.dll
c:\windows\system32\sowemame.dll
c:\windows\system32\sozejudu.dll
c:\windows\system32\sudajono.dll
c:\windows\system32\sugikoza.dll
c:\windows\system32\suwunahe.exe
c:\windows\system32\tadezote.dll
c:\windows\system32\tajopava.dll
c:\windows\system32\tehayela.dll
c:\windows\system32\temuzaju.dll
c:\windows\system32\ticnlw.dll
c:\windows\system32\tiyuhaja.dll
c:\windows\system32\tuviloko.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\vimopihu.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\vunokigo.dll
c:\windows\system32\wadibevu.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wuyamoba.dll
c:\windows\system32\yajezadi.dll
c:\windows\system32\yejivoji.dll
c:\windows\system32\yudegoku.dll
c:\windows\system32\yuhisona.dll
c:\windows\system32\zanaruma.dll
c:\windows\system32\zehifoze.dll
c:\windows\system32\zenoyovo.dll
c:\windows\system32\zetajare.dll
c:\windows\system32\zevigulo.dll
c:\windows\system32\zewadora.dll
c:\windows\system32\zezijopi.dll
c:\windows\system32\zezojare.dll
c:\windows\system32\zofupeno.dll
c:\windows\system32\zoniraji.dll
c:\windows\system32\zutovogi.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Tasks\loibqjlk.job
c:\windows\Tasks\tzwnxtue.job
c:\windows\Temp\2901521072.exe
c:\windows\Temp\3041392704.exe
c:\windows\Temp\3733657648.exe
c:\windows\Temp\478463392.exe
c:\windows\Temp\524977456.exe
c:\windows\Temp\862493568.exe
c:\windows\Temp\977339488.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_daqdrv
-------\Service_daqdrv


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 04:37 . 2009-11-30 04:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-30 00:45 . 2009-10-08 17:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-30 00:45 . 2009-10-08 17:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-30 00:45 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip
2009-11-30 00:45 . 2009-10-08 17:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-30 00:45 . 2009-10-08 17:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-30 00:45 . 2009-10-02 20:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-30 00:45 . 2009-09-24 14:55 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-11-30 00:45 . 2009-09-24 14:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-30 00:45 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-30 00:45 . 2009-09-23 22:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-30 00:45 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-30 00:45 . 2009-11-30 00:45 -------- d-----w- c:\programdata\PC Tools
2009-11-30 00:19 . 2009-11-30 00:46 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 03:38 . 2009-11-23 03:38 -------- d-----w- c:\program files\Trend Micro
2009-11-23 03:12 . 2009-11-23 03:12 -------- d-----w- c:\programdata\RegCure
2009-11-23 03:12 . 2009-11-23 03:12 16384 d-----w- c:\program files\RegCure
2009-11-22 21:25 . 2009-11-22 21:25 -------- d-----w- c:\users\aiden\AppData\Roaming\AVG8
2009-11-20 03:58 . 2007-09-13 15:09 172032 ----a-w- c:\windows\system32\igfxres.dll
2009-11-19 02:08 . 2009-11-19 02:08 -------- d-----w- c:\programdata\AIM
2009-11-19 02:08 . 2009-11-19 02:08 8192 d-----w- c:\program files\AIM
2009-11-19 02:07 . 2009-11-19 02:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-11-16 01:01 . 2009-11-16 01:02 124928 ----a-w- C:\vuou.exe
2009-11-14 19:52 . 2009-11-14 19:52 39428 ----a-w- C:\cfmulknl.exe
2009-11-14 06:55 . 2009-11-14 06:55 -------- d-----w- c:\windows\Sun
2009-11-12 03:20 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-12 03:20 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 04:42 . 2009-02-09 22:06 40960 d-----w- c:\program files\Spyware Doctor
2009-11-30 04:33 . 2009-11-14 06:56 -------- d-----w- c:\programdata\fumivuju
2009-11-30 04:02 . 2009-11-14 06:56 -------- d-----w- c:\programdata\wefihipe
2009-11-27 07:23 . 2009-07-02 01:04 16384 d-----w- c:\users\aiden\AppData\Roaming\Azureus
2009-11-26 19:08 . 2009-03-26 00:38 1356 ----a-w- c:\users\aiden\AppData\Local\d3d9caps.dat
2009-11-25 03:38 . 2008-10-04 02:23 4096 d-----w- c:\program files\LimeWire
2009-11-25 03:38 . 2008-10-04 02:24 8192 d-----w- c:\users\aiden\AppData\Roaming\LimeWire
2009-11-20 04:03 . 2009-08-06 16:03 4096 d-----w- c:\users\aiden\AppData\Roaming\TuneUpMedia
2009-11-19 03:09 . 2009-04-28 11:46 4096 d-----w- c:\program files\iTunes
2009-11-19 02:49 . 2009-01-25 04:12 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2009-11-19 02:48 . 2009-01-25 04:10 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-11-16 01:02 . 2009-11-14 06:56 52736 ----a-w- C:\aywdthl.exe
2009-11-16 00:48 . 2009-02-09 21:27 12288 d-----w- c:\program files\Symantec AntiVirus
2009-11-16 00:48 . 2008-07-01 13:05 16384 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-14 20:43 . 2009-09-25 22:17 4096 d-----w- c:\program files\QuickTime
2009-11-14 20:43 . 2008-07-24 12:05 12288 d-----w- c:\program files\Apoint2K
2009-11-14 20:43 . 2009-06-29 01:35 12288 d-----w- c:\program files\ManyCam 2.4
2009-11-14 20:43 . 2009-06-29 01:37 8192 d-----w- c:\program files\WeFi
2009-11-14 19:57 . 2009-06-29 01:38 4096 d-----w- c:\programdata\WeFi
2009-11-14 06:56 . 2009-11-14 06:56 40960 ----a-w- C:\kewwr.exe
2009-11-14 06:56 . 2009-11-14 06:56 32768 ----a-w- C:\aruxss.exe
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\wevozahe
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\hehataye
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\migejodi
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\nebumefo
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\huduzitu
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\hekayini
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\deditami
2009-11-14 06:56 . 2009-11-14 06:56 -------- d-----w- c:\programdata\yumuyofu
2009-11-13 07:56 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-12 09:06 . 2008-07-01 14:07 8192 d-----w- c:\programdata\Microsoft Help
2009-11-05 02:16 . 2008-09-17 00:36 71872 ----a-w- c:\users\aiden\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-03 02:42 . 2009-10-03 00:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 00:35 . 2008-07-01 14:12 8192 d-----w- c:\program files\Common Files\Adobe
2009-10-22 07:35 . 2009-10-22 07:35 4096 d-----w- c:\program files\TuneUpMedia
2009-09-25 21:51 . 2009-09-25 21:51 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-20 15:58 . 2009-08-26 06:28 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-14 09:44 . 2009-10-16 02:35 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 02:36 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21 . 2009-10-28 02:11 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21 . 2009-10-28 02:11 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-04 12:24 . 2009-10-16 02:35 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 21:45 . 2009-08-28 21:45 53248 --sha-w- c:\windows\System32\fokazifi.dll
2009-08-27 21:32 . 2009-08-27 21:32 61952 --sha-w- c:\windows\System32\gekedufo.dll
2009-08-25 21:45 . 2009-08-25 21:45 16384 --sha-w- c:\windows\System32\hihosove.dll
2009-08-23 03:43 . 2009-08-23 03:43 16384 --sha-w- c:\windows\System32\lukosayu.dll
2009-08-27 21:32 . 2009-08-27 21:32 53760 --sha-w- c:\windows\System32\merahuro.dll
2009-08-21 21:24 . 2009-08-21 21:24 16384 --sha-w- c:\windows\System32\pinabapu.dll
2009-08-30 01:09 . 2009-08-30 01:09 54272 --sha-w- c:\windows\System32\tosokevo.dll
2009-08-26 19:14 . 2009-08-26 19:14 3 --sha-w- c:\windows\System32\vesutodu.dll
2009-08-28 21:45 . 2009-08-28 21:45 61440 --sha-w- c:\windows\System32\wigudozi.dll
2009-08-20 04:20 . 2009-08-20 04:20 16384 --sha-w- c:\windows\System32\yepogofa.dll
2009-08-29 10:53 . 2009-08-29 10:53 61952 --sh--w- c:\windows\System32\zosamulo.dll
2009-02-13 08:49 . 2009-04-15 08:15 24064 --sha-w- c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
2008-07-01 11:46 . 2008-07-01 11:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
Code:
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\symcuw .exe
c:\program files\CyberLink\YouCam\MUITransfer\muistartmenu .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Advisor\hpadvisor .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\Hewlett-Packard\HP QuickTouch\hpkbdapp .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\wifimsg .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP\QuickPlay\qpservice .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ManyCam 2.4\manycam .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Symantec AntiVirus\vptray .exe
c:\program files\WeFi\wefi .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"sawojolodo"="c:\programdata\fumivuju\fumivuju.dll" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^Users^aiden^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^aiden^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\users\aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [11/29/2009 6:45 PM 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/29/2009 6:45 PM 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/29/2009 6:45 PM 358600]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\System32\drivers\ManyCam.sys [1/14/2008 4:06 AM 21632]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [8/13/2007 1:50 PM 41008]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20070823.002\IDSvix86.sys [7/1/2008 7:09 AM 180272]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [8/24/2007 10:07 PM 149864]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/19/2008 9:04 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-30 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{66F61C38-D9CF-417B-B2E3-809475AE2AE9}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\users\aiden\AppData\Roaming\Mozilla\Firefox\Profiles\27i2du5a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint2K\Uninstap.exe ADDREMOVE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 22:44
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll iaStor.sys spgs.sys >>UNKNOWN [0x852D1938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a59f322
\Driver\ACPI -> acpi.sys @ 0x805b1d4c
\Driver\atapi -> 0x853191f8
\Driver\iaStor -> iaStor.sys @ 0x8230d8e0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2204)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\windows\system32\wermgr.exe
.
**************************************************************************
.
Completion time: 2009-11-29 22:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 04:58

Pre-Run: 128,273,645,568 bytes free
Post-Run: 128,944,848,896 bytes free

- - End Of File - - 531565D6285ADA15EEB212F25002303C

DragonMaster Jay


Site Owner
Site Owner
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Back up all important data on the machine.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:

    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.


==

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\cfmulknl.exe
    C:\vuou.exe
    C:\aywdthl.exe
    C:\kewwr.exe
    C:\aruxss.exe
    c:\windows\System32\pinabapu.dll
    c:\windows\system32\wmploc.DLL
    c:\windows\system32\unregmp2.exe
    c:\windows\System32\fokazifi.dll
    c:\windows\System32\gekedufo.dll
    c:\windows\System32\hihosove.dll
    c:\windows\System32\lukosayu.dll
    c:\windows\System32\merahuro.dll
    c:\windows\System32\pinabapu.dll
    c:\windows\System32\tosokevo.dll
    c:\windows\System32\vesutodu.dll
    c:\windows\System32\wigudozi.dll
    c:\windows\System32\yepogofa.dll
    c:\windows\System32\zosamulo.dll

    Rootkit::
    c:\windows\system32\drivers\sptd.sys

    Folder::
    c:\programdata\fumivuju
    c:\programdata\wefihipe
    c:\programdata\wevozahe
    c:\programdata\hehataye
    c:\programdata\migejodi
    c:\programdata\nebumefo
    c:\programdata\huduzitu
    c:\programdata\hekayini
    c:\programdata\deditami
    c:\programdata\yumuyofu
    c:\program files\RegCure
    c:\program files\Viewpoint


    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-

    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "sawojolodo"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 1]

SecuraGeek Forums » Malware/Threat Removal » My browser is hijacked. (hijack this log inside)

Permissions in this forum:
You cannot reply to topics in this forum